Senator Claims UnitedHealth’s CEO, Board Appointed Unqualified CISO
Senator Ron Wyden, who is possibly the biggest advocate on Capitol Hill for cybersecurity and privacy, laid into UnitedHealth Group’s CEO for their cybersecurity practices. Their practices led to a breach that affected possibly one third of the adults in the US who have health insurance.
Senator Wyden also asked the FTC and SEC to investigate UHG’s many security failures that led to the attack.
One failure that Wyden picked up on is that one of the largest health insurance companies in the country appointed a CISO in 2023 who had no prior CISO experience at all and, in fact, never held a security related role in his 30 year career.
While the CISO, Steven Martin, has decades of tech experience including being the chief digital officer at GE Power, the Chief Commercial Officer at GE Digital, multiple roles at Microsoft including data scientist, customer acquisition and more, he has never held a security titled role. He also has held multiple marketing related roles at tech-related companies.
And here is a key point:
Wyden says it would be unfair to scapegoat the CISO for ALL of the companies security failings and the blame should instead lie with CEO Andrew Witty and the board for placing Martin there in the first place. (Note to lawyers: did you hear that?)
Wyden also highlighted the lack of MFA on a remote access server, which some believe is “weapons-grade negligence”.
Other critics highlighted lack of network segmentation, which was the primary cause of the Target breach more than a decade ago, and the lack of threat hunting.
Wyden is calling for a full regulatory investigation.
Whether the feds do investigate, these disclosures add a lot of ammunition to the class action lawsuits that will evolve out of this breach. And the primary targets may well be the CEO and the board. After all, this breach is likely to cost ChangeHealth one-third to one-half of their total annual REVENUE.
This should be a call to action for all companies to make sure that they hire qualified and sufficient cybersecurity expertise.
If you need help with acquiring or vetting talent or creating requirements for your cybersecurity program, please contact us.
Credit: The Register